SSL Encypted private key, sha2 (256) certificate and problems

These are old archives. They are kept for historic purposes only.
Post Reply
davem
Posts: 3
Joined: Sat Apr 11, 2015 12:41 pm
Location: Piraeus, Greece
Contact:

SSL Encypted private key, sha2 (256) certificate and problems

Post by davem »

First of all hi to all community :)
For unknown/unspecified reason, i have not recieve any email from bug reports site when i have tried to register there to report bugs, i will post here my findings, and im trully sorry if is the wrong place (i was willing to do it in bugs report site, but unfortunately, i cannot have account there. i dont know why)

Lets begin:
Im using StartSSL. They giving free of charge fully trusted certificates.

Now the problem is:

From their web site, when you want to create cerificates, you must give password for private key (and you cannot avoid it ----> only if you have already created csr from somewhere else). So the private key is encrypted no matter what.
I have choose to generate from their web tool my certificate, and i choose sha2 (sha256) for my certificate and not sha1 which is now old and not recomended.

I have succefully create the cerificate, and i have proceed to install it to unrealircd.

That was totally failure.

UnrealIRCD says he cant load private key (when im doing ./unreal start he ask me for the private key password, and im putting the right one there).
As it seems, unrealircd cannot work properly with sha2 (sha256 certificates) and requires sha1 which is old, not recomended and insecure.

When im trying to load in unrealircd, using startssl web tools for generating sha1 certificate, even with private key encryption is working ok. But not for sha2.

private key length in both ways, are 2048 (4096 dosent working with UnrealIRCD).

Maybe devs should look into this issue? UnrealIRCD must have support for sha2 cerificates and 4096 length
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: SSL Encypted private key, sha2 (256) certificate and problems

Post by Syzop »

Hi,

I added -sha256 in the Makefile at a few places, to see if I can reproduce your issue:

Code: Select all

pem:    src/ssl.cnf
    @echo "Generating certificate request .. "
    $(OPENSSLPATH) req -new \
              -sha256 -config src/ssl.cnf -out server.req.pem \
              -keyout server.key.pem -nodes
    @echo "Generating self-signed certificate .. "
    $(OPENSSLPATH) req -x509 -days 365 -sha256 -in server.req.pem \
               -key server.key.pem -out server.cert.pem
    @echo "Generating fingerprint .."
    $(OPENSSLPATH) x509 -subject -dates -sha256 -fingerprint -noout \
        -in server.cert.pem
    @echo "Setting o-rwx & g-rwx for files... "
    chmod o-rwx server.req.pem server.key.pem server.cert.pem
    chmod g-rwx server.req.pem server.key.pem server.cert.pem
    @echo "Done!. If you want to encrypt the private key, run"
    @echo "make encpem"
After deleting the existing certificates and running 'make pem' I get a ceritifcate. If I then restart Unreal (I could have used /rehash -ssl) then it loads OK. As far as I can see it works, but I may very well overlook something (kinda in a hurry).
Similarly, if I change the amount of bits in src/ssl.cnf from 1024 to 4096 and re-run the above then it loads as well. And I can connect from mIRC.

What's the problem with your bugs* account? Could you PM me with the details of how you register (username, email) and what error (if any) you are getting? Thanks.
davem
Posts: 3
Joined: Sat Apr 11, 2015 12:41 pm
Location: Piraeus, Greece
Contact:

Re: SSL Encypted private key, sha2 (256) certificate and problems

Post by davem »

Hello Syzop, thanks for your answer :)

For SSL issues with sha256, i have not generate the private key, csr, etc from my box, but from their web gui. Maybe they generate private keys/certificates with unusuall ways? You will reproduce the issue, by using their services (for testing purposes of course) free of charge by generating class 1 type certificate. Generate from their web site, private key (they require password for the key), and continue the procedure to generate server certificate. Use the private key, csr or anything provided only from them, do not generate something from your system using openssl cli. Make the appopriate adjuments to the unrealircd conf, and you will reproduce this issue :)

For the bugs account, i will send you pm the needed details to look into :)

Thanks again for the help :) :)

Edit:

i tried to send you pm for giving you the needed details about the bugs account problem and im getting this:
Some users couldn’t be added as they do not have permission to read private messages.
Last edited by davem on Fri Apr 17, 2015 4:30 pm, edited 1 time in total.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: SSL Encypted private key, sha2 (256) certificate and problems

Post by Syzop »

There seemed to be a problem with regards to sending emails at bugs.unrealircd.org. It is now solved and you should have gotten your registration e-mail.

I have no idea what that phpBB error is to be honest. Well, I can read what it says but it makes no sense :D
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: SSL Encypted private key, sha2 (256) certificate and problems

Post by Syzop »

Sorry davem, I kinda forgot about your issue (also because it's not in the bug tracker I think). I have bumped the UnrealIRCd defaults for a self-signed snakeoil cert (so for 'make pem') to 4096 bit key, SHA256 digest algo, and 10yrs. Seems to work well.
Anyway, I wanted to request and test a StartSSL free certificate but the website currently gives this error so I can't try:
We are currently receiving more requests than we can handle. Please try it later again.
We apologize for the temporary inconvenience and thank you for your understanding.
davem
Posts: 3
Joined: Sat Apr 11, 2015 12:41 pm
Location: Piraeus, Greece
Contact:

Re: SSL Encypted private key, sha2 (256) certificate and problems

Post by davem »

Perhaps they was had temp tech issues. If you like to test/reproduce it, try again, perhaps their problems will be solved now (or not, anyway, try it again if you want to) :)

yeah, it is not in bug tracker, if you like, i can combine 1st post, and the how to reproduce it there.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: SSL Encypted private key, sha2 (256) certificate and problems

Post by Syzop »

Nope, still same error at StartSSL website. So can't reproduce.

If you have a non-important ssl certificate then you could send the certificate and private key to me at [email protected].
Of course, if it's of any real value (to you) then it's probably a bad idea.
katsklaw
Posts: 1124
Joined: Sun Apr 18, 2004 5:06 pm
Contact:

Re: SSL Encypted private key, sha2 (256) certificate and problems

Post by katsklaw »

Could you try again syzop? I just set-up my account there today and it's working.

Thanks.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: SSL Encypted private key, sha2 (256) certificate and problems

Post by Syzop »

I believe you :)
It always worked for me, 4096bits / SHA256, both UnrealIRCd series.
Post Reply